#!/bin/bash


disk=`fdisk -l|grep "Disk /dev"|awk '{print $2}'|sed 's/://g'|grep -v vda|sed 's/\/dev\///g'`

IP=`ifconfig |grep "Bcast"|awk '{print $2}'|awk -F: '{print $2}'|head -1`
##------------Function for format the disk------------##
function fdisk_mkfs()
{
fdisk -S 56 /dev/$disk << EOF
n
p
1
	
	
wq
EOF
sleep 5
#mkfs.xfs /dev/${disk}1
mkfs.ext4 /dev/${disk}1

cat >>/etc/fstab <<EOF
`blkid /dev/${disk}1 | awk '{print $2}'|sed 's/\"//g' ` /data  ext4 noatime,nodiratime,acl,defaults 0 0
EOF
mkdir /data
mount -a
}



#####################系统优化部分#####################
function ker_youhua()
{
cat  >>/usr/lib/sysctl.d/00-system.conf << EOF
# 开启恶意icmp错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses = 1
#关闭路由转发
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
#开启反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
#处理无源路由的包
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
#关闭sysrq功能
kernel.sysrq = 0
#core文件名中添加pid作为扩展名
kernel.core_uses_pid = 1
# 开启SYN洪水攻击保护
net.ipv4.tcp_syncookies = 1
#修改消息队列长度
kernel.msgmnb = 65536
kernel.msgmax = 65536
#设置最大内存共享段大小bytes
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
#timewait的数量，默认180000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096        87380   4194304
net.ipv4.tcp_wmem = 4096        16384   4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
#每个网络接口接收数据包的速率比内核处理这些包的速率快时，允许送到队列的数据包的最大数目
net.core.netdev_max_backlog = 262144
#限制仅仅是为了防止简单的DoS 攻击
net.ipv4.tcp_max_orphans = 3276800
#未收到客户端确认信息的连接请求的最大值
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
#内核放弃建立连接之前发送SYNACK 包的数量
net.ipv4.tcp_synack_retries = 1
#内核放弃建立连接之前发送SYN 包的数量
net.ipv4.tcp_syn_retries = 1
#启用timewait 快速回收
net.ipv4.tcp_tw_recycle = 1
#开启重用。允许将TIME-WAIT sockets 重新用于新的TCP 连接
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
#当keepalive 起用的时候，TCP 发送keepalive 消息的频度。缺省是2 小时
net.ipv4.tcp_keepalive_time = 30
#允许系统打开的端口范围
net.ipv4.ip_local_port_range = 1024    65000
#修改防火墙表大小，默认65536
#net.netfilter.nf_conntrack_max=655350
#net.netfilter.nf_conntrack_tcp_timeout_established=1200
# 确保无人能修改路由表
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
EOF

}

sysctl -p
echo "初始化硬盘"
fdisk_mkfs
yum install cronolog -y
#chkconfig nginx on

echo " CentOS 7 系统优化"
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
echo "*           soft     nofile    1024000 " >> /etc/security/limits.conf
echo "*           hard     nofile    1024000 " >> /etc/security/limits.conf
echo "*           soft     nproc     1024000 " >> /etc/security/limits.conf
echo "*           hard     nproc     1024000 " >> /etc/security/limits.conf
sed -i 's/*          soft    nproc     4096/*          soft    nproc     40960/g' /etc/security/limits.d/20-nproc.conf

#更新所有软件包
echo "更新所有软件包"
yum update -y

#系统优化
echo "系统优化"
ker_youhua

#时间配置 NTP 安装
yum install ntpdate -y
#echo "*/30 * * * * /usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1" >>/var/spool/cron/root
#ntp时间服务器
if [ `rpm -qa|grep ntp|wc -l` -ne 0 ]
then
     yum install ntp -y
    systemctl start ntpd
else
        systemctl start ntpd
fi
cat  >>/etc/ntp.conf << EOF
server ntp1.aliyun.com iburst minpoll 4 maxpoll 10
server ntp2.aliyun.com iburst minpoll 4 maxpoll 10
server ntp3.aliyun.com iburst minpoll 4 maxpoll 10
server ntp4.aliyun.com iburst minpoll 4 maxpoll 10
server ntp5.aliyun.com iburst minpoll 4 maxpoll 10
server ntp6.aliyun.com iburst minpoll 4 maxpoll 10
server 0.cn.pool.ntp.org
server 1.cn.pool.ntp.org
server 2.cn.pool.ntp.org
server 3.cn.pool.ntp.org
EOF
systemctl restart ntpd

yum  install  expect -y
#新增用户

#############################等保2.0 安全合规配置部分###########################

#系统安全审计
#logrotate日志保存周期
sed -i 's/weekly/monthly/g'  /etc/logrotate.conf
sed -i 's/rotate 4/rotate 72/g'  /etc/logrotate.conf
sed -i 's/#compress/compress/g'  /etc/logrotate.conf
service rsyslog restart

#开启审计功能
if [ `rpm -qa|grep audit|wc -l` -ne 0 ]
then
    yum install auditd -y
    service   auditd  start
else
        service  auditd  start
fi

cat  >>/etc/audit/rules.d/audit.rules << EOF

#收集用户的文件删除事件
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

#收集对系统管理范围
-w /etc/group -p wa -k identity 
-w /etc/passwd -p wa -k identity 
-w /etc/gshadow -p wa -k identity 
-w /etc/shadow -p wa -k identity 
-w /etc/security/opasswd -p wa -k identity
#收集修改用户/组信息的事件
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope

EOF

cat  >>/etc/audit/audit.rules << EOF
#收集用户的文件删除事件
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

#收集对系统管理范围
-w /etc/group -p wa -k identity 
-w /etc/passwd -p wa -k identity 
-w /etc/gshadow -p wa -k identity 
-w /etc/shadow -p wa -k identity 
-w /etc/security/opasswd -p wa -k identity
#收集修改用户/组信息的事件
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope
EOF

service auditd restart

#设置服务器登录超时时间、设置history文件内容
cat >> /etc/profile <<EOF
TMOUT=600
HISTFILESIZE=30 
HISTSIZE=30
EOF

#配置登陆失败锁定 (deny为连续失败次数,unlock_time为解锁时间)
cat >>/etc/pam.d/password-auth <<EOF
auth        required      pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900
EOF
cat >>/etc/pam.d/system-auth <<EOF
auth        required      pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900
EOF

#设置最大密码尝试失败次数5
cat >> /etc/ssh/sshd_config <<EOF
MaxAuthTries 5
EOF

##ClientAliveInterval 900 每15分钟往客户端发送会话请求，保持连接 ，重试10次
sed -i 's/#ClientAliveInterval 0/ClientAliveInterval 900/g' /etc/ssh/sshd_config
sed -i 's/#ClientAliveCountMax 3/ClientAliveCountMax 10/g' /etc/ssh/sshd_config

#只允许特定的组用户su切换到root
sed -i 's/#auth		required	pam_wheel.so use_uid/auth		required	pam_wheel.so use_uid/g'   /etc/pam.d/su
echo  "SU_WHEEL_ONLY yes" >> /etc/login.defs
#将用户xxx加入到wheel组里边
#usermod  -G wheel xxx


#设置密码复杂度要求
#cat >> /etc/security/pwquality.conf <<EOF
#minlen=8
#minclass=3
#EOF
#设置口令长度和复杂度要求
sed -i 's/password    required      pam_deny.so/password    required      pam_deny.so password minlen=8 ucredit=-1 lcredit=-1 dcredit=-4 ocredit=-1/g'   /etc/pam.d/system-auth
 #minlen=8    密码最小长度
 #ucredit=-1  至少含一个大写字母
 #lcredit=-1  至少含一个小写字母
 #dcredit=-4  至少含四个数字
 #ocredit=-1  至少含一个数字

 
#centos 6
#cat >> /etc/pam.d/system-auth <<EOF
#password requisite pam_cracklib.so try_first_pass retry=3 minlen=11 minclass=3
#EOF
#定期更换密码
#cat >>/etc/login.defs <<EOF
#PASS_MAX_DAYS   180
#PASS_MIN_DAYS   1
#PASS_MIN_LEN    8
#PASS_WARN_AGE   28

#EOF
#chage --maxdays 90 root


#锁定账号  查询/etc/shadow 
usermod -L uucp 
usermod -L lp  
usermod -L adm 
usermod -L sync
usermod -L shutdown
usermod -L halt
usermod -L news
usermod -L operator
usermod -L gopher
usermod -L daemon
usermod -L mail
usermod -L ftp
usermod -L bin
usermod -L nobody

##进程守护
#supervisor 安装
easy_install supervisor
wget https://gitee.com/zjkguo/ywjb/raw/master/soft/supervisord.conf -O /etc/supervisord.conf
#添加自启动
wget https://gitee.com/zjkguo/ywjb/raw/master/soft/supervisord.service -O  /usr/lib/systemd/system/supervisord.service
systemctl enable supervisord.service

yum install unzip -y